Introduction to Cisco NetFlow

Network management protocols like SNMP allow us to monitor our network. We can check things like cpu load, memory usage, interface status and even the load of an interface. Other tools like NBAR allow us to see what kind of protocols are used.

One of the things we can’t do with those tools is tracking all flows in our network. A flow is a stream of packets that share the same characteristics like source/destination port, source/destination address, protocol, type, service marking, etc.

NetFlow allows us to track these flows on our network. We can use this information to solve problems like bottlenecks, identify what applications are used, how much bandwidth they use etc.

For each of the flows, NetFlow will track the number of packets sent, bytes sent, packet sizes and more. You can configure your router to keep track of all flows and then export them to a central server where we analyze our traffic.

In this lesson I will show you how to configure NetFlow on a Cisco IOS router and we will take a look at a NetFlow server.

Configuration

This is the topology we will use:

On the left side we have a host that will be browsing the Internet through R1. At the bottom there’s a ntop server. This is open source traffic analysis software that supports NetFlow so if you want to give this a try, it’s worth checking out.

Configuring ntop is outside the scope of this lesson so I’ll focus on how to configure the router. First we have to specify the server:

R1(config)#ip flow-export destination 192.168.1.1 2055

The router will export all flows to 192.168.1.1 with destination UDP port 2055. NetFlow supports multiple versions so if you want to use a specific version, here’s how to do it:

R1(config)#ip flow-export version 9

I will configure the router to use version 9. Optionally, we can configure what interface the router should use to source the updates from:

R1(config)#ip flow-export source FastEthernet 0/0

The last thing we have to do is tell the router on what interfaces to track the flows:

I will use the ip route-cache flow command for this. When you use this command, it will track all flows on the physical and all sub-interfaces. You can also use the ip flow egress or ip flow ingress commands if you only want to enable it on one sub-interface or in one direction.

Everything is now in place, let’s verify our work.

Verification

Cisco IOS Router

On our router we can check a couple of things to see if NetFlow is working. Here’s the first command:

Above you can see some of the flows. The output above is useful to check if NetFlow is working on the router but it’s far more interesting to look at the flows on the external server.

Ntop Server

To show you what makes Netflow so useful, let me show you some screenshots of Ntop. Here you can see the top talkers of all flows:

Ntop can also show you the network load:

You can also see the throughput for each application:

You can also see the different packet sizes that are used in your flows:

Conclusion

NetFlow is a great protocol to get an insight in your network traffic. It’s the equivalent of a “phone bill” that specifies all calls that were made, where these calls took place, the duration, etc. Only this time, we are tracking all IP packets on the network.

Configurations

Want to take a look for yourself? Here you will find the configuration of R1.

After you enable NetFlow on an interface, NetFlow reserves memory to accommodate a number of entries in the NetFlow cache. Normally, the size of the NetFlow cache meets the needs of your NetFlow traffic rates. The cache default size is 64K flow cache entries. Each cache entry requires 64 bytes of storage. About 4 MB of DRAM are required for a cache with the default number of entries. Y

I think a typo here see below you say “Can`t” I think you mean “can”??

One of the things we can’t do with those tools is tracking all flows in our network. A flow is a stream of packets that share the same characteristics like source/destination port, source/destination address, protocol, type, service marking, etc.

New Lessons

Testimonials

Great Troubleshooting Resource

I cannot be more grateful to have found NetworkLessons.com to prepare for my CCIE journal. Rene really makes these topics very easy to understand and using real life examples, giving us proof of concept how different networking technologies work.

Jose AndaNetwork EngineerMay 9, 2016

Clarity, Pedagogy & Useful

I'm working to obtain the Cisco CCNP R&S certification and NetworkLessons.com makes me more understandable Cisco's technologies. Thanks a lot Renee for the quality of your lessons!

Cyril CamardNetwork EngineerOctober 8, 2015

Job Saver

The lessons are must-have for every network engineer as we all tend to forget concepts when we take a break on a specific protocol/technology. NetworkLessons.com helped me to excel in my networking skills and professional confidence in handling critical escalations, changes, and implementations. It's a job saver!

Sandeep PaulSenior Network EngineerJune 14, 2018

Learned So Much

Since I became a member, I have developed my skills quite a lot. I just started out studying networking and with help of NetworkLessons.com, I feel much more confident and better. They offer a lot of special content and it is easy to understand. All content is presented step by step and it is presented in a great way if you pursue a Cisco certification. I strongly recommend NetworkLessons.com for all who want to start with networking!

Heng SovandaraStudent January 15, 2018

Comprehensive & Accurate

NetworkLessons.com is very useful and significantly in my work as a technical support. I am enjoying the lessons a lot. The courses and lessons that provided by Rene and his team are easy to read and simple to understand. I also love his instruction videos which make me actually feel as if I were in his classroom. I am going to renew the membership forever!

Hussein SameerTechnical SupportSeptember 11, 2015

Really Helped Getting my CCIE

The lessons and explanations of NetworkLessons.com are presented in a very simple way that its easier to absorb than other sources and to get the hang of it. NetworkLessons.com has really helped me with my CCIE certification. Thanks!

Darmah RajSenior Network EngineerJuly 16, 2018

Amazing Site

NetworkLessons.com explains complex and hard to understand networking concepts in just plain English. It's hard to miss the concepts. Thank you for all of your hard work. It did help me, and will definitely help somebody else.

Meheretab MengistuNetwork EngineerJanuary 10, 2017

Simple & Effective Explanations

Very knowledgeable. NetworkLessons.com explains complex topics with great simplicity. Sometimes I asked for some advice during my studies and someone at the forum always answered me. Rene is humble and kind and has great communicative skills. It's easy to learn with his lessons. He is certainly one of the best teachers I've ever met.

Andrea D'OrsiNetwork EngineerJanuary 30, 2017

No Nonsense Networking

I have used Networklessons.com for preparation for the CCNP exam and it helped me to pass the 3 exams! The network topics are very well explained, and the videos are helpful too. Questions are answered quickly and to the point. Before I became a member, it took me 3 years to come to the understanding of how multicast sparse mode works; simply because I could not find anything that explained the whole process as simple and clear as Networklessons.com. I will continue to use Networklessons.com as a valuable reference site for my work!

Hans de RoodeCommunications / Network EngineerMarch 14, 2016

A Great Teacher

The learning experience is great, easy to learn and contains straight to the point explanations. Networklessons.com is a great teacher!

Dimitry MicukovIT Tech SupportApril 15, 2016

The Best Resource Out There

NetworkLessons.com has the secret ingredients to break down something complex and make it look crystal clear. Over the past 25 plus years, I have visited many blog sites and forums including the famous Group Study. I can tell you that NetworkLessons.com is the best resource I have come across. I feel privileged to be a member!

Ram ShummoogumNetwork ArchitectNovember 22, 2018

Perfect & Wonderful!

This website is very helpful in term of the beginner and advance lesson to get Cisco Certificates. Start the basic of each lesson then practices, Question and Answer are available online so that it's really helpful in case of any doubts, Many more, etc.